|
If I could get away with it, I'd like to try something which looks like it's that insecure but really just uses URL rewriting to drive a conventional locked down back end, then watch the server logs for whatever poo poo people fling at it.
|
# ? Oct 16, 2013 12:37 |
|
|
# ? May 27, 2024 11:16 |
|
It really is interesting to see that kind of stuff people try - well for a while then it gets boring. We have a feedback form that is constantly a target with crap like thiscode:
stuxracer fucked around with this message at 15:33 on Oct 16, 2013 |
# ? Oct 16, 2013 15:29 |
|
substitute posted:Just encountered this in the URL bar on a partner's website: ftp://username:password@server/absolute/path/to/page.html As an extra perk the server kept collapsing every few minutes under "too many connections".
|
# ? Oct 16, 2013 15:52 |
|
Beamed posted:If I recall someone actually took advantage of it to hack it, and claimed that it was to warn the devs or something. Some people advocated for exploiting it because that was the only way they could see to prove to the meatboy devs who just wouldn't listen that it was really a problem. Those people were compared to victim-blaming rapists, which was hyperbolic and inflammatory though not entirely inaccurate.
|
# ? Oct 16, 2013 16:09 |
|
stuxracer posted:It really is interesting to see that kind of stuff people try - well for a while then it gets boring. We have a feedback form that is constantly a target with crap like this That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities?
|
# ? Oct 16, 2013 17:33 |
|
Dessert Rose posted:You could also read the actual story in this very thread. There's even a convenient link literally two posts before yours! I read the whole thread and read about it already, but there was more drama than that involved.
|
# ? Oct 16, 2013 18:10 |
|
evensevenone posted:That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities?
|
# ? Oct 16, 2013 18:57 |
|
I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there.Java code:
|
# ? Oct 16, 2013 19:43 |
|
I would fire that person so hard, god drat that's such a flawed understanding of basic data structures ugh
|
# ? Oct 16, 2013 19:48 |
|
HORATIO HORNBLOWER posted:I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there. Is there any actual reason for this other than to degrade average case performance from O(1) to O(n)? Because I can't see any other reason.
|
# ? Oct 16, 2013 19:50 |
|
nuvan posted:Is there any actual reason for this other than to degrade average case performance from O(1) to O(n)? Because I can't see any other reason. Paid per line of code, and paid to improve performance metrics over baseline. Get paid once making it slow, get paid twice making it fast.
|
# ? Oct 16, 2013 19:59 |
|
evensevenone posted:That kind of stuff is probably just webcrawling bots that just hit every form they see with a bunch of attacks. Why target one site with an obscure vulnerability when you can target millions and assume some small percentage have obvious vulnerabilities? At work we have a bot that attacks one of our sites by requesting a query page with an empty query. Every 5 minutes. All an empty query does is we give you an error page saying "whoops you didn't give us a query". It only involves the top-level of our stack since the request immediately fails basic input validation. It's too slow to even be a simple DOS. It has been doing this for years. It is able to cycle user agent and ip address when we block it (it's not high volume enough for us to really care about seriously smacking it down). It's sophisticated enough to elude simple blocking schemes but not sophisticated enough to do anything but request the same error page over and over and over. It's like a really dumb pet at this point. There's thousands of bots out there that do similarly nonsensical things. I'd like to think the sum total of this traffic is the first tentative wisps of the Internet going sentient.
|
# ? Oct 16, 2013 20:21 |
|
substitute posted:Just encountered this in the URL bar on a partner's website: Update: It goes so much deeper... I can't even...
|
# ? Oct 16, 2013 20:26 |
|
Come on, spit it out.
|
# ? Oct 16, 2013 21:16 |
|
Suspicious Dish posted:Come on, spit it out. GET method forms that accept basically anything and make them hidden fields. Or hell, close the tag and inject/display whatever you want on the page. POST method forms with hidden fields and the values are full SQL statements.
|
# ? Oct 16, 2013 21:33 |
substitute posted:GET method forms that accept basically anything and make them hidden fields. Or hell, close the tag and inject/display whatever you want on the page. In short, an abridged history of every web vulnerability ever.
|
|
# ? Oct 16, 2013 21:38 |
|
HORATIO HORNBLOWER posted:I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there. Well, you made my eyes bulge which is an achievement I suppose
|
# ? Oct 16, 2013 22:01 |
|
1337JiveTurkey posted:If I could get away with it, I'd like to try something which looks like it's that insecure but really just uses URL rewriting to drive a conventional locked down back end, then watch the server logs for whatever poo poo people fling at it. Our app's error logs are 99% people trying to exploit query strings (for pages, etc.) with SQL injections and string format attacks. Some of them are pretty clever, but we just cast the entire string to an integer so.
|
# ? Oct 16, 2013 22:03 |
|
Hard NOP Life posted:I would fire that person so hard, god drat that's such a flawed understanding of basic data structures ugh The person who wrote this code left our company about a year ago. He got a better offer somewhere else. This is actually some of the more lucid code he was responsible for, in that it is desperately wrong-headed but you can actually almost comprehend what it's trying to do.
|
# ? Oct 16, 2013 22:47 |
|
HORATIO HORNBLOWER posted:The person who wrote this code left our company about a year ago. He got a better offer somewhere else. This is actually some of the more lucid code he was responsible for, in that it is desperately wrong-headed but you can actually almost comprehend what it's trying to do. Whenever I feel like I'm not a good enough programmer I read things like this and remember the truth.
|
# ? Oct 17, 2013 00:42 |
|
General Olloth posted:Whenever I feel like I'm not a good enough programmer I read things like this and remember the truth. That misery loves
|
# ? Oct 17, 2013 03:11 |
|
HORATIO HORNBLOWER posted:I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there. I've been in CS for the past 9 years, including jobs in industry and this looks so bonkers to me that it makes me feel like I am missing something... He is basically replacing map[key]=Val with an iteration, then ends up calling the proper setter anyway, right? Why?
|
# ? Oct 17, 2013 04:13 |
|
Job security.
|
# ? Oct 17, 2013 04:17 |
|
shodanjr_gr posted:He is basically replacing map[key]=Val with an iteration, then ends up calling the proper setter anyway, right? Why? I think he thinks put only works if the key isn't already in the dictionary.
|
# ? Oct 17, 2013 04:19 |
|
shodanjr_gr posted:I've been in CS for the past 9 years, including jobs in industry and this looks so bonkers to me that it makes me feel like I am missing something... if map[key] exists, set it to val and return. If it doesn't, create it with the value.
|
# ? Oct 17, 2013 06:04 |
|
Bobbin Threadbear posted:if map[key] exists, set it to val and return. If it doesn't, create it with the value. Ok, so it's basically as retarded as it looks.
|
# ? Oct 17, 2013 06:12 |
|
But... like... how would you know to use a hashtable, without also knowing why you should not iterate through it?
|
# ? Oct 17, 2013 07:34 |
|
Maybe at first he used a list, then someone told him he should use a hashtable instead, and, well...
|
# ? Oct 17, 2013 07:56 |
|
This is what I wrote trying to be as generic as possible.Deleted the comments because they were in my native language. Observe. code:
EDIT: This is supposed to be a 1D cellular automata simulator or w/e that's called. Incrediblastic fucked around with this message at 09:05 on Oct 17, 2013 |
# ? Oct 17, 2013 08:54 |
|
HORATIO HORNBLOWER posted:I don't even know what to say about this. I thought I was used to seeing terrible code in our rotten, diseased codebase but there's just constantly new and wonderful surprises in there. Have seen a similar thing, except it was more like this: code:
|
# ? Oct 17, 2013 14:58 |
|
substitute posted:Update: Official (summarized) response from developer: You can wildly query the database and insert code in the page/display, but the site can't be hacked with any of this stuff. Thanks.
|
# ? Oct 17, 2013 15:15 |
|
substitute posted:Official (summarized) response from developer: I bet you could execute a SELECT statement that brings the DB server to its knees.
|
# ? Oct 17, 2013 15:19 |
|
At the very end of 3KLOC utility class:Java code:
|
# ? Oct 17, 2013 15:34 |
|
IMlemon posted:At the very end of 3KLOC utility class: Jeez its like you want test cases to fail, you monster.
|
# ? Oct 17, 2013 15:59 |
|
ikanreed posted:Jeez its like you want test cases to fail, you monster. "tets" cases.
|
# ? Oct 17, 2013 16:07 |
|
Suspicious Dish posted:I think he thinks put only works if the key isn't already in the dictionary. And there's a fair chance that he convinced himself of this while struggling to fix some bug in his code, and now bitches about how stupid it is that Java makes you do that.
|
# ? Oct 17, 2013 16:11 |
|
"Java is so verbose, I could have done this in one line in Python"
|
# ? Oct 17, 2013 16:22 |
|
Java code:
|
# ? Oct 17, 2013 16:36 |
|
If you don't see the utility in that, I don't know what's wrong with you.
|
# ? Oct 17, 2013 16:40 |
|
|
# ? May 27, 2024 11:16 |
|
One of the core abstractions in the system i'm working on right now.Java code:
|
# ? Oct 18, 2013 08:50 |